An Accountability Approach to Compliance

Transcription

1 IAPP Asia Privacy Forum An Accountability Approach to Compliance Presented by: Terry McQuay, CIPP/US, CIPP/E, CIPP/C, CIPP/G, and CIPM Singapore May 5 th 2015

2 Introducing NYMITY A Data Privacy Research Company Software Solutions for the Privacy Office Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants Privacy Management Solutions: Attestor Benchmarks Templates Compliance Research Solutions: PrivaWorks MofoNotes LawReports Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance.

3 Nymity s Accountability Research Today s presentation is based on Nymity s research. Accountability 1. What is Accountability? 2. Compliance is an outcome of Accountability 3. Getting to Accountability, an approach of getting to Compliance

4 Accountability is a Privacy Principle

5 Accountability includes a Privacy Management Program DPA s Coming Soon: 1. Colombia 2. Australia 3. Bulgaria

6 Compliance is an Accountability Outcome A privacy management programme serves as a strategic framework to assist an organization in building a robust privacy infrastructure supported by an effective on-going review and monitoring process to facilitate compliance. Privacy Management Programme: A Best Practice Guide Hong Kong Office of the Privacy Commissioner for Personal Data, Hong Kong

7 Compliance is an Accountability Outcome An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws. The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia

8 Nymity s Research: Elements of an Effective Privacy Management Program 152 Privacy Management Activities: Procedures, policies, and other initiatives (measures/mechanisms) involving (or impacting) the processing of personal data. Privacy Management Programs: A privacy management program is made up the privacy management activities that were resourced by management and have operational support.

9 Accountability = Privacy Management Activities: Compliance is an Outcome Too Much, Where do I start?

10 Responsibilities Privacy Office Activities Privacy officer responsibilities: Privacy Management Activities that are the Responsibility of the privacy office. Operational Activities Privacy officer influences/observes: Privacy Management Activities that are the responsibility of operational units, including, Marketing, HR, IT, Legal, Procurement, Product Development.

11 Example Privacy Management Activities Privacy Office Activities Privacy officer responsibilities: Examples: maintain a data privacy policy maintain core training for all employees maintain a data privacy notice that details the organization s personal data handling policies consult with stakeholders throughout the organization on privacy matters Operational Activities Privacy officer influences /observes: Examples: maintain an information security policy maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) maintain data privacy requirements for third parties integrate data privacy into practices for monitoring employees

12 Accountability = Privacy Management Activities: Compliance is an Outcome 30 for the Privacy office

13 Ongoing Compliance is an Accountability Outcome Approach: When the right privacy management activities are implemented and maintained, ongoing compliance is one of the outcomes.

14 Nymity s Research: Getting to Accountability Four Steps to Accountability 1. Privacy office identifies current Privacy Management Activities across the organization 2. Privacy office implements core Privacy Management Activities based on resources provided 3. Privacy office influences/observes the implementation or enhancement of privacy management activities found in operational units based on resources provided 4. Maintain Privacy Management Activities based on resources provided

15 Step 1: Identify Current Privacy Management Activities Baseline Current Privacy Management Use the Framework to identify Privacy Management Activities throughout the organization. Result: Running Start Your Privacy Management Program already has activities in place.

16 Identify Resources through Baselining While identifying existing privacy management activities: Identify people that will help a primary resource Identify motivated management stakeholders Collect documentation where appropriate Use the Framework to identify available resources

17 Step 2: Privacy Office Implements New Privacy Management Activities Responsibility of the Privacy Office Select activities that can be maintained based on resources made available to the privacy office.

18 Step 3: Privacy Office Influences Operational Privacy Management Activities Responsibility of the Business and Operational Units Implement/enhance Privacy Management Activities that can be maintained by the resources made available from operational units. Example: Human Resources, IT, Legal, Product Development, Procurement, Marketing, Sales.

19 Step 4: Maintain Activities Report, on a scheduled basis, the status of the Privacy Management Program Maintain visibility to management to maintain resources Resource: Use the Framework for Management Reporting. Maintain an ongoing business case for privacy management

20 Where do I start? Depends on Resources 1. Minimal Resource Take a Privacy Policy Approach Great for part-time privacy officer with limited resources. 2. Medium Resources - Take a Governance Approach Great for privacy officers with support from management and Which operational business units, for example are HR, IT, Legal, Marketing, you? Sales, etc 3. Sufficient Resources Take the Textbook Approach Senior management provides support and budget, a dedicated team, plus operational support. Goal: Getting started with Resources Available

21 Minimal Resources Take a Privacy Policy Approach Where to start: 1. Maintain a data privacy policy A policy written for employees outlining the organizations privacy practices. 2. Maintain Notices Place your policy on the website and elsewhere to provide notice to individuals to which you collect, use, or disclose their personal data. 3. Training and Awareness Program Training employees based on your data privacy policy is the best way to mitigate privacy risk including the risk of non-compliance.

22 Medium Resources Take a Governance Approach Where to start: 1. Maintain Governance Structure Maintaining an annual privacy risk assessment, a charter, job descriptions, assign responsibilities throughout the organization, consult with stakeholders, report to management, etc. 2. Maintain a data privacy policy A policy written for employees outlining the organizations privacy practices. 3. Maintain Notices Place your policy on the website and elsewhere to provide notice to individuals to which you collect, use, or disclose their personal data. 4. Training and Awareness Program Training employees based on your data privacy policy.

23 Sufficient Resources Take a Textbook Approach Where to start: 1. Maintain Personal Data Inventory Maintain an inventory of data holding, with classification and data flows. 2. Maintain Governance Structure Maintaining an annual privacy risk assessment, a charter, job descriptions, assign responsibilities throughout the organization, consult with stakeholders, report to management, etc. 3. Maintain a data privacy policy A policy written for employees outlining the organizations privacy practices 4. Maintain Notices Place your policy on the website and elsewhere to provide notice to individuals to which you collect, use, or disclose their personal data. 5. Training and Awareness Program Training employees based on your data privacy policy.

24 When has the Privacy Office Achieved Accountability? Demonstrating Accountability Demonstrating the privacy office is maintaining the Privacy Management Activities to which they are responsible based on resources provided; and Resource: Use the Framework for Demonstrating Accountability. Demonstrating which operational units, that are participating, are maintaining the Privacy Management Activities based on the resources they are provided. The privacy office can do no more, and thus, they have achieved the maximum level of accountability possible!

25 Building the Business Case to Add or Maintain Privacy Office Resources Business Case for More Resources 1. Use Baseline to demonstrate what has been implemented Resource: Use the Framework to structure the business case to management. 2. Use Baseline to demonstrate resources available 3. Ask for additional resources to implement more activities If provided, the privacy office can do more, and achieved a higher level of accountability Outcome is Ongoing Compliance

26 Privacy Accountability Management Framework for Data Controllers Operating across Asia

27 Thank You Please feel free to contact us with any questions or comments concerning this presentation at Copyright 2015 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc., 366 Bay Street, Suite 1200, Toronto, Ontario, Canada M5H 4B2.